Twitter worms spread quickly thanks to blatant security flaw

A bunch of worms made using Twitter's website earlier today a risky affair; …

Anyone checking twitter.com this morning was probably greeted with a mess of JavaScript, mouseover effects, and spam retweets, after a flaw in the site's handling of hyperlinks allowed attackers to inject scripts into Twitter's pages. The mere act of visiting the site with scripting enabled was sufficient to cause exploitation. Payloads ranged from the harmless—tweets with a black background—to the more malicious—redirection to porn sites.

The flaw was classified as a cross-site scripting (XSS) bug. Due to an error in the way that Twitter processed messages, it was possible to include JavaScript in tweets, and that JavaScript could then do more or less anything, including sending more JavaScript-containing tweets. The technique was devised last night by Twitter user Magnus Holm. Holm says that he didn't find the XSS flaw itself, but he appears to have been the first to write a worm that exploited it.

Generally, Web applications that incorporate text from untrusted sources should ensure that text is safe before displaying it to people. Today's flaw was a result of a failure to do that correctly. The twitter.com website converts URLs in tweets into clickable hyperlinks. However, if that URL contained an "at" symbol (@), the conversion process was not handled properly, converting part of the URL into JavaScript embedded into the page. Because this JavaScript is embedded in pages on twitter.com, it has free and unfettered access to other website features, including the ability to send tweets. This allows embedded JavaScript to propagate itself further, hence forming the basis of today's worms that saw many tens of thousands of tweets sent automatically.

The flaw only affected the "old" Twitter site. "New" Twitter, which started being rolled out to users last week, apparently handled the malicious messages properly, though reports are inconsistent. Third-party applications, which have to do their own parsing of tweets, typically weren't vulnerable. Using third-party clients does not make one immune to such flaws—Web-based clients are, at least in principle, susceptible to similar coding errors—but an XSS attack coded to exploit twitter.com is unlikely to affect any other client.

Twitter has now fixed the flaw, making the site safe to visit again. Today's problem will raise further questions of Twitter's ability to secure its service. The company's implementation of OAuth, used by third-party applications to authenticate account access, has a number of problems, and a similar worm spread last year. The attack last year inserted JavaScript into Twitter users' profiles, rather than their actual tweets, but the basic concept was identical. XSS bugs are not new, nor even particularly clever; for Twitter to yet again fall foul to one, with such public, widespread repercussions, is sure to be an embarrassment to the site.

Brilliant idea of mixing presentation markup with content and imperative scripting creates another security flaw shock. Brendan Eich is a talentless hack, and shame on Netscape for allowing this half-baked crap into the wild.

Well, I like the text limit imposed by twitter. I recommend my management to replace our email server with twitter so we enforce everyone to use haiku in their messages. And I am sure this will be appealing reasons to attract more younger crowds to where I work.

Seriously, twitter, facebook, and the latest fads are reasons why the web is dead. R.I.P web.

Twitter's as informative as the people you follow. Because tweets are necessarily short, it can be a time-saving supplement to RSS for quick, human-curated information.

I follow the local Onion AV Club branch, local venues, and local music scenesters to keep up on local events (concerts, festivals, new restaurants). I follow people in my industry who link to articles and new technologies. I follow former colleagues to keep up on what they're doing professionally.

How was it not on topic? I stated my opinion on a service that the entire article was about. And considering this entire flaw was the product of piss-poor software engineering, I'd say my "sucks" comment still stands.

I think Twitter and Facebook have their uses. Much of it is egotastic but there are some really entertaining people on there generating great content. The great stuff is mixed in with the crap and it just takes a little time to sort through the clutter of 'i just had a sammich' and 'my latest cat & string video' messages.

Not sure if he's American or not (the name sounds Swedish but that doesn't necessarily mean anything) but I'm curious what kinds of repercussions this guy will face. It wasn't long ago that jail time was imminent if you wrote a worm or virus that wreaked havoc.

How was it not on topic? I stated my opinion on a service that the entire article was about. And considering this entire flaw was the product of piss-poor software engineering, I'd say my "sucks" comment still stands.

I just think it's funny how trolls feel the need to inform all of us in every Twitter in Facebook article just how badly they hate the service. We get it. You hate it.

Now, continue posting under 140 character messages on a website for others to read and respond to. (think about it)

If you think Twitter is useless, you're following the wrong people and/or hashtags. Watch #sqlhelp for a little bit for examples. If you're seeing people post that they're eating a sandwich or killing time in a meeting or going to the bathroom, it's your own damn fault for following those people.

And I assume that, if you hate Twitter, you don't use text messaging. Or is the extra 20 characters per message enough to transform it from an inherently useless technology to an inherently useful one?

How was it not on topic? I stated my opinion on a service that the entire article was about. And considering this entire flaw was the product of piss-poor software engineering, I'd say my "sucks" comment still stands.

I just think it's funny how trolls feel the need to inform all of us in every Twitter in Facebook article just how badly they hate the service. We get it. You hate it.

Now, continue posting under 140 character messages on a website for others to read and respond to. (think about it)

So somebody expressing their own opinion is trolling now? I just think it's funny how people respond to "trolls" in order to inform all of us just how much they dislike them. (think about it)

How was it not on topic? I stated my opinion on a service that the entire article was about. And considering this entire flaw was the product of piss-poor software engineering, I'd say my "sucks" comment still stands.

I just think it's funny how trolls feel the need to inform all of us in every Twitter in Facebook article just how badly they hate the service. We get it. You hate it.

Now, continue posting under 140 character messages on a website for others to read and respond to. (think about it)

So somebody expressing their own opinion is trolling now? I just think it's funny how people respond to "trolls" in order to inform all of us just how much they dislike them. (think about it)

There's really nothing wrong with the idea of Twitter, though I've barely even read a handful of tweets. It's the media hype and the focus on celebrity and follower counts and the huge amounts of irrelevant posts that make it seem like a waste. Otherwise, it's just an executive summary-style presentation of what people are thinking about. That's hard to use well but does have potential; I wouldn't have the patience to find the few gems though.

Brilliant idea of mixing presentation markup with content and imperative scripting creates another security flaw shock. Brendan Eich is a talentless hack, and shame on Netscape for allowing this half-baked crap into the wild.

Without Eich, we wouldn't have had the wonderful frames control that enabled Hell.com to masticate our brains back in '95. We also would never have experienced the buttons that moved when you tried to click on them, and we may never have experienced script animated ads that would routinely crash our browsers.

When developing websites, I tend to avoid javascript if at all possible. I hate when it's suggested to use script to work around rendering bugs. And now, I'm told IE9 doesn't support the declarative SMIL animations in my SVG graphics, because I can write (complex) scripts to do that So don't just have a hateon for Netscape.

Not sure if he's American or not (the name sounds Swedish but that doesn't necessarily mean anything) but I'm curious what kinds of repercussions this guy will face. It wasn't long ago that jail time was imminent if you wrote a worm or virus that wreaked havoc.

He's Norwegian. I seriously doubt he will be extradited to the US. But they can sue him in a Norwegian court. I'm not a lawyer, but dont think this is covered by the penalcode. The best they can hope for is beeing awarded damages.

The Norwegian courts are very conservative in awarding damages, an it is usally limited to direct damages e.g. The hours they spent on cleaning up after the worm. Thankfully they do not award claims for distress, emotional strain or other mumbo jumbo unless it is a violent crime.

Judging from magnus' tweets while the worm was spreading, he was really surprised at how effective it was, and that it worked. So they will have a hard time proving malicious intent

Not sure if he's American or not (the name sounds Swedish but that doesn't necessarily mean anything) but I'm curious what kinds of repercussions this guy will face. It wasn't long ago that jail time was imminent if you wrote a worm or virus that wreaked havoc.

He's Norwegian. I seriously doubt he will be extradited to the US. But they can sue him in a Norwegian court. I'm not a lawyer, but dont think this is covered by the penalcode. The best they can hope for is beeing awarded damages.

The Norwegian courts are very conservative in awarding damages, an it is usally limited to direct damages e.g. The hours they spent on cleaning up after the worm. Thankfully they do not award claims for distress, emotional strain or other mumbo jumbo unless it is a violent crime.

Judging from magnus' tweets while the worm was spreading, he was really surprised at how effective it was, and that it worked. So they will have a hard time proving malicious intent

Yeah I didn't figure he was American and probably wouldn't see any kind of American wrath of law. Way back in the prehistoric era when Robert Morris released his worm he didn't figure it would work as well as it did. He was lucky to be the son of an upper level NSA official and got off very lightly. Back when it happened there was talk of him serving a very long jail sentence.